CVE-2025-6947

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the management interface of WatchGuard Firebox appliances via the SIP Proxy configuration. The root cause is improper neutralization of user-supplied input during web page generation, allowing injection of arbitrary JavaScript code [1].

Exploitation

To exploit this vulnerability, an attacker must have authenticated administrator access to a locally managed Firebox. The attacker can then inject malicious script into the SIP Proxy settings. When another administrator views the affected management interface, the injected script executes in their browser session [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of another management user's browser. This could lead to actions performed on behalf of that user, such as modifying firewall rules, exfiltrating configuration data, or further pivoting within the network [1].

Mitigation

WatchGuard has released patched versions: Fireware OS 12.11.3 for general 12.x models, and 12.5.13 for T15 and T35 models. No workaround is available [1].